Survey on IP Address Abuse Reporting Practices and Managements
Dear NANOG community members, We are researchers from Virginia Tech. We are studying the management of Abuse contacts in WHOIS records for IP address and how abuse contacts are managed and how abuse reports are handled in practice, from both the sender side and the recipient side. To better understand the operational reality of abuse reporting, we invite you to participate in our surveys: For abuse report senders: https://forms.gle/oDAa8ZDnwsGZiNFT6 For abuse report recipients / abuse contacts: https://forms.gle/TPKjjwXFuhuX8GV7A Privacy & Data Usage: We are committed to protecting participants’ data. Survey responses will be handled carefully, and any reporting of results will not reveal personally identifiable information. Thank you for your time and for supporting this research! Best, Weitong
Abuse contacts in WHOIS records for IP address Huhwut?
ryuu.rg.net:/Users/randy> whois -h whois.ripe.net 147.28.0.0/23 ... inetnum: 147.28.0.0 - 147.28.15.255 netname: RGNET-RSCH-147-0 country: EE org: ORG-RO47-RIPE admin-c: RB45695-RIPE tech-c: RB45695-RIPE abuse-c: AR52766-RIPE <<<=== status: LEGACY mnt-by: MAINT-RGNET mnt-by: RIPE-NCC-LEGACY-MNT geofeed: https://rg.net/geofeed created: 2020-10-20T23:45:00Z last-modified: 2023-07-24T22:07:43Z source: RIPE # Filtered ryuu.rg.net:/Users/randy> whois -h whois.ripe.net AR52766-RIPE ... role: Abuse-C Role address: Sakala tn 7-2 address: EE-10141 address: Tallinn address: ESTONIA nic-hdl: AR52766-RIPE abuse-mailbox: blackhole@bogus.com mnt-by: MAINT-RGNET created: 2019-05-20T12:22:32Z last-modified: 2019-05-23T10:07:48Z source: RIPE # Filtered
Hi Weitong, Your forms contain a lot of non-ARIN relevant data. Who is your professor or advisor supervising this surveys? I'd appreciate it if you could briefly explain the main goal of the study and why the data is being collected. -- Best regards, Sergey
On 4/22/2026, at 22:23, Li, Weitong via NANOG <nanog@lists.nanog.org> wrote:
Dear NANOG community members, We are researchers from Virginia Tech. We are studying the management of Abuse contacts in WHOIS records for IP address and how abuse contacts are managed and how abuse reports are handled in practice, from both the sender side and the recipient side. To better understand the operational reality of abuse reporting, we invite you to participate in our surveys: For abuse report senders: https://forms.gle/oDAa8ZDnwsGZiNFT6 For abuse report recipients / abuse contacts: https://forms.gle/TPKjjwXFuhuX8GV7A Privacy & Data Usage: We are committed to protecting participants’ data. Survey responses will be handled carefully, and any reporting of results will not reveal personally identifiable information. Thank you for your time and for supporting this research! Best, Weitong _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/26FSBQWI...
On Wed, Apr 22, 2026 at 04:44:16PM -0700, Randy Bush wrote:
abuse-mailbox: blackhole@bogus.com
So were you trying to reinforce my point or ...? But seriously, to the VT researcher: Take 100 random IPs and run them through WHOIS and try to come up with anything close to useful abuse contacts. Don't like random? Take a statistical sample from a blacklist. If you don't know where to find one, here: https://github.com/bitwire-it/ipblocklist It's a short script. Write it and run it. You don't need a survey to understand that the efficacy approaches zero faster than my investment in United Buggywhip, Cassette Tape, and Coal Delivery Inc. -- . ___ ___ . . ___ . \ / |\ |\ \ . _\_ /__ |-\ |-\ \__
Hi Weitong, Who is your PI? Is this survey approved by the HREC/REB/IRB of your institution? You must understand, this survey seems a little suspect since it's on google forms, does not identify you, your institution, nor your PI, does not contain an ethics approval number, and does not contain contact information. -- Jamie (NullNet AS25912) On April 22, 2026 1:23:37 p.m. PDT, "Li, Weitong via NANOG" <nanog@lists.nanog.org> wrote:
Dear NANOG community members, We are researchers from Virginia Tech. We are studying the management of Abuse contacts in WHOIS records for IP address and how abuse contacts are managed and how abuse reports are handled in practice, from both the sender side and the recipient side. To better understand the operational reality of abuse reporting, we invite you to participate in our surveys: For abuse report senders: https://forms.gle/oDAa8ZDnwsGZiNFT6 For abuse report recipients / abuse contacts: https://forms.gle/TPKjjwXFuhuX8GV7A Privacy & Data Usage: We are committed to protecting participants’ data. Survey responses will be handled carefully, and any reporting of results will not reveal personally identifiable information. Thank you for your time and for supporting this research! Best, Weitong _______________________________________________ NANOG mailing list https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/26FSBQWI...
Dear NANOG, Thank you for the replies — both the substantive critiques and the pointed ones. Jamie and Sergey were right that the original note should have identified the researchers, the institution, the advisor, and the IRB tracking number, and I apologize for that omission. For the record: - Researchers: myself (Weitong Li, Postdoctoral Researcher, weitongli@vt.edu) and my advisor, Prof. Taejoong (Tijay) Chung (tijay@cs.vt.edu), Department of Computer Science, Virginia Tech. - Ethics review: the study, including the two surveys, has been reviewed by the Virginia Tech Human Research Protection Program and determined to be Not Human Subjects Research (IRB tracking number IRB-26-064). No personally identifiable information is collected, and the organization/ASN field is explicitly optional. Questions about participant rights can go to irb@vt.edu. On the substance: Izaac suggested that running a script over WHOIS is enough to show that abuse contacts are broken. I agree that measurement is where this work starts, and the surveys are in fact a small complement to a larger measurement study — distributed honeypot observations plus a randomized controlled reporting experiment across several thousand reports — that attempts exactly the kind of systematic evaluation a one-shot script cannot provide: how effectiveness varies by recipient choice, by registry, by infrastructure type (ISP / hosting / leasing / BYOIP), and by follow-up strategy. What measurement cannot see is the operator-side reasoning: how abuse desks triage reports, which evidence they actually find useful, and why a structured abuse-c field sometimes loses to a free-text note — or to a well-placed trolling address. Randy, thanks for the live demo; AR52766-RIPE is a memorable case in point and sits squarely inside what we are trying to characterize, namely the gap between what registry records look like and what they do in practice. The surveys exist to capture that operator-side reasoning, not to substitute for measurement. The surveys are now reopened with updated consent information at the top of each form: - Abuse report senders: https://forms.gle/oDAa8ZDnwsGZiNFT6 - Abuse report recipients / abuse contacts: https://forms.gle/TPKjjwXFuhuX8GV7A One more note, and an apology: if you already submitted a response before the surveys were paused, thank you, and I am sorry to have to ask this — those earlier responses fell outside the updated consent terms and will not be used in our analysis. If you are willing to submit again under the updated consent, it would be genuinely appreciated, and if you prefer not to, I completely understand. If there are questions, we should consider adding, framings we should adjust, or sharp operational cases we ought to cover, I would be glad to hear from the list, on or off. Thanks again, Weitong Li Virginia Tech weitongli@vt.edu ________________________________ From: Li, Weitong via NANOG <nanog@lists.nanog.org> Sent: Wednesday, April 22, 2026 4:23 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Li, Weitong <weitongli@vt.edu> Subject: Survey on IP Address Abuse Reporting Practices and Managements Dear NANOG community members, We are researchers from Virginia Tech. We are studying the management of Abuse contacts in WHOIS records for IP address and how abuse contacts are managed and how abuse reports are handled in practice, from both the sender side and the recipient side. To better understand the operational reality of abuse reporting, we invite you to participate in our surveys: For abuse report senders: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforms.gle%2FoDAa8ZDnwsGZiNFT6&data=05%7C02%7Cweitongli%40vt.edu%7Cf3a09e1a79794edef86a08dea0ad27a5%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C639124862721897585%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=YMzV5vbvpljNuqQ0r7Hu3ezyGWWCD%2FWVmQGsuy0RBHc%3D&reserved=0<https://forms.gle/oDAa8ZDnwsGZiNFT6> For abuse report recipients / abuse contacts: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforms.gle%2FTPKjjwXFuhuX8GV7A&data=05%7C02%7Cweitongli%40vt.edu%7Cf3a09e1a79794edef86a08dea0ad27a5%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C639124862721965020%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=8fAbyFls3JqiLBJ04MNL24rpJGgm6Gx38gQgGFR3gqo%3D&reserved=0<https://forms.gle/TPKjjwXFuhuX8GV7A> Privacy & Data Usage: We are committed to protecting participants’ data. Survey responses will be handled carefully, and any reporting of results will not reveal personally identifiable information. Thank you for your time and for supporting this research! Best, Weitong _______________________________________________ NANOG mailing list https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2F26FSBQWIG7WGMEKEZCVJE5R566BMME7O%2F&data=05%7C02%7Cweitongli%40vt.edu%7Cf3a09e1a79794edef86a08dea0ad27a5%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C639124862722028081%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=QpGMtkbCYOwiJ5z16o5ks2SydMPE%2BzRLlVHt6QKb3zA%3D&reserved=0<https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/26FSBQWIG7WGMEKEZCVJE5R566BMME7O/>
Weitong- Thanks for the response. Few comments. The entire industry can tell you that the signal to nose ratio of most abuse reporting mailboxes is heavily skewed towards noise. If an operator has an abuse email anywhere, it will be run over with complaints from users who saw one of their IPs in a spam message header, or who saw something logged in their home router/firewall logs and WANTS YOU TO MAKE THESE ATTACKS STOP IMMEDIATELY. Many out there automate these 'reports' themselves. (Special hello the fine gentlemen who has my personal email on the CC list of the more than 1 million spam complaints he's made to my previous employer in the 15 years since I left that job. ) Every organization is different, but most of the time the abuse box becomes a lost cause because of this stream of garbage. It becomes a time/money sink to filter out the noise, so it becomes either totally ignored, or only sporadically/half-heartedly checked. On Thu, Apr 23, 2026 at 3:34 PM Li, Weitong via NANOG <nanog@lists.nanog.org> wrote:
Dear NANOG,
Thank you for the replies — both the substantive critiques and the pointed ones. Jamie and Sergey were right that the original note should have identified the researchers, the institution, the advisor, and the IRB tracking number, and I apologize for that omission.
For the record:
- Researchers: myself (Weitong Li, Postdoctoral Researcher, weitongli@vt.edu) and my advisor, Prof. Taejoong (Tijay) Chung ( tijay@cs.vt.edu), Department of Computer Science, Virginia Tech.
- Ethics review: the study, including the two surveys, has been reviewed by the Virginia Tech Human Research Protection Program and determined to be Not Human Subjects Research (IRB tracking number IRB-26-064). No personally identifiable information is collected, and the organization/ASN field is explicitly optional. Questions about participant rights can go to irb@vt.edu.
On the substance: Izaac suggested that running a script over WHOIS is enough to show that abuse contacts are broken. I agree that measurement is where this work starts, and the surveys are in fact a small complement to a larger measurement study — distributed honeypot observations plus a randomized controlled reporting experiment across several thousand reports — that attempts exactly the kind of systematic evaluation a one-shot script cannot provide: how effectiveness varies by recipient choice, by registry, by infrastructure type (ISP / hosting / leasing / BYOIP), and by follow-up strategy.
What measurement cannot see is the operator-side reasoning: how abuse desks triage reports, which evidence they actually find useful, and why a structured abuse-c field sometimes loses to a free-text note — or to a well-placed trolling address. Randy, thanks for the live demo; AR52766-RIPE is a memorable case in point and sits squarely inside what we are trying to characterize, namely the gap between what registry records look like and what they do in practice. The surveys exist to capture that operator-side reasoning, not to substitute for measurement.
The surveys are now reopened with updated consent information at the top of each form:
- Abuse report senders: https://forms.gle/oDAa8ZDnwsGZiNFT6
- Abuse report recipients / abuse contacts: https://forms.gle/TPKjjwXFuhuX8GV7A
One more note, and an apology: if you already submitted a response before the surveys were paused, thank you, and I am sorry to have to ask this — those earlier responses fell outside the updated consent terms and will not be used in our analysis. If you are willing to submit again under the updated consent, it would be genuinely appreciated, and if you prefer not to, I completely understand.
If there are questions, we should consider adding, framings we should adjust, or sharp operational cases we ought to cover, I would be glad to hear from the list, on or off.
Thanks again, Weitong Li Virginia Tech
weitongli@vt.edu
________________________________ From: Li, Weitong via NANOG <nanog@lists.nanog.org> Sent: Wednesday, April 22, 2026 4:23 PM To: nanog@lists.nanog.org <nanog@lists.nanog.org> Cc: Li, Weitong <weitongli@vt.edu> Subject: Survey on IP Address Abuse Reporting Practices and Managements
Dear NANOG community members, We are researchers from Virginia Tech. We are studying the management of Abuse contacts in WHOIS records for IP address and how abuse contacts are managed and how abuse reports are handled in practice, from both the sender side and the recipient side. To better understand the operational reality of abuse reporting, we invite you to participate in our surveys: For abuse report senders: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforms.gle%2FoDAa8ZDnwsGZiNFT6&data=05%7C02%7Cweitongli%40vt.edu%7Cf3a09e1a79794edef86a08dea0ad27a5%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C639124862721897585%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=YMzV5vbvpljNuqQ0r7Hu3ezyGWWCD%2FWVmQGsuy0RBHc%3D&reserved=0 <https://forms.gle/oDAa8ZDnwsGZiNFT6> For abuse report recipients / abuse contacts: https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fforms.gle%2FTPKjjwXFuhuX8GV7A&data=05%7C02%7Cweitongli%40vt.edu%7Cf3a09e1a79794edef86a08dea0ad27a5%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C639124862721965020%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=8fAbyFls3JqiLBJ04MNL24rpJGgm6Gx38gQgGFR3gqo%3D&reserved=0 <https://forms.gle/TPKjjwXFuhuX8GV7A> Privacy & Data Usage: We are committed to protecting participants’ data. Survey responses will be handled carefully, and any reporting of results will not reveal personally identifiable information. Thank you for your time and for supporting this research! Best, Weitong _______________________________________________ NANOG mailing list
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.nanog.org%2Farchives%2Flist%2Fnanog%40lists.nanog.org%2Fmessage%2F26FSBQWIG7WGMEKEZCVJE5R566BMME7O%2F&data=05%7C02%7Cweitongli%40vt.edu%7Cf3a09e1a79794edef86a08dea0ad27a5%7C6095688410ad40fa863d4f32c1e3a37a%7C0%7C0%7C639124862722028081%7CUnknown%7CTWFpbGZsb3d8eyJFbXB0eU1hcGkiOnRydWUsIlYiOiIwLjAuMDAwMCIsIlAiOiJXaW4zMiIsIkFOIjoiTWFpbCIsIldUIjoyfQ%3D%3D%7C0%7C%7C%7C&sdata=QpGMtkbCYOwiJ5z16o5ks2SydMPE%2BzRLlVHt6QKb3zA%3D&reserved=0 < https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/26FSBQWI...
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/XQGSSGDJ...
The entire industry can tell you that the signal to nose ratio of most abuse reporting mailboxes is heavily skewed towards noise. If an operator has an abuse email anywhere, it will be run over with complaints from users who saw one of their IPs in a spam message header, or who saw something logged in their home router/firewall logs and WANTS YOU TO MAKE THESE ATTACKS STOP IMMEDIATELY.
not our experience. we have non-trivial research space, some of which does active probing, nothing hostile. we get a message or two a month. and we respond. tiny compared to the general level of spam and of the folk skimming whois data for email addys to try to sell or buy ipv4 space. as your experience is so unlike ours, should we suspect there is a skewed distribution? perhaps this research project will tell us. randy
Adding onto Randy's comment as every higher-ed I've worked for has had research space that's does active probing. Part of dealing with that is the security team will respond to any emails to the abuse contacts. Additionally, I think it would be interesting to include from the perspective of the reporters. We have automated reporting in place for phishing urls where we let the operator of that space know what's going on. We've got some really good responses from folks like Gandi, who are extremely proactive in taking these complaints seriously. Cheers, Harry On Fri, Apr 24, 2026 at 12:22 PM Randy Bush via NANOG <nanog@lists.nanog.org> wrote:
The entire industry can tell you that the signal to nose ratio of most abuse reporting mailboxes is heavily skewed towards noise. If an operator has an abuse email anywhere, it will be run over with complaints from users who saw one of their IPs in a spam message header, or who saw something logged in their home router/firewall logs and WANTS YOU TO MAKE THESE ATTACKS STOP IMMEDIATELY.
not our experience. we have non-trivial research space, some of which does active probing, nothing hostile. we get a message or two a month. and we respond. tiny compared to the general level of spam and of the folk skimming whois data for email addys to try to sell or buy ipv4 space.
as your experience is so unlike ours, should we suspect there is a skewed distribution? perhaps this research project will tell us.
randy _______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/VSMWWXSI...
participants (7)
-
Harry Hoffman -
Izaac -
Jamie Null (Mobile) -
Li, Weitong -
nanog@netartgroup.com -
Randy Bush -
Tom Beecher